Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
Hi! Am Fri, Feb 11, 2005 at 10:06:55AM +0900, Tokio Kikuchi schrieb: Python 1 (respective at least 1.5.2) complains about syntax errors. (Which, in fact, also helps against the vulnerability by displaying the You've found a Mailman bug page. ;-) Change the true_path function as: def true_path(path): Ensure that the path is safe by removing .. import re path = re.sub('\.+/+', '', path) return path[1:] and try. Perfect. Thanks! And I've even learned a little bit more Python today. :-) Sorry but I have no 2.0.x around Probably doesn't matter. The function is exactly the same as in 2.1.5. but only found a machine which have working Python 1.x installed. Thanks for searching. Kind regards, Axel Beckert -- - Axel Beckert ecos electronic communication services gmbh it security solutions * web applications with apache and perl Mail: Tulpenstrasse 5 D-55276 Dienheim near Mainz E-Mail: [EMAIL PROTECTED] Voice: +49 6133 939-220 WWW:http://www.ecos.de/ Fax: +49 6133 939-333 - -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
There is a critical security flaw in Mailman 2.1.5 and earlier Mailman 2.1 versions which can allow remote attackers to gain access to member passwords under certain conditions. The extent of the vulnerability depends on what version of Apache you are running, and (possibly) how you have configured your web server. However, the flaw is in Mailman and has been fix in CVS and will be included in the Mailman 2.1.6 release. This issue has been assigned CVE number CAN-2005-0202. We currently believe that Apache 2.0 sites are not vulnerable, and that many if not most Apache 1.3 sites are. In any event, the safest approach is to assume the worst and take the remediation steps indicated below as soon as possible. The quickest fix is to remove the /usr/local/mailman/cgi-bin/private executable. This will disable all access to all private archives on your system. While this is the quickest and easiest way to close the hole, it will also break all your private archives. If all the lists on your site only run public archives, this won't matter to you. Until Mailman 2.1.6 is released, the longer term fix is to apply this patch: http://www.list.org/CAN-2005-0202.txt For additional piece of mind, it is recommended that you regenerate your member passwords. Instructions on how to do this, and more information about this vulnerability are available here: http://www.list.org/security.html My thanks to Tokio Kikuchi, Mark J Cox, and the folks on vendor-sec. This issue was found by Marcus Meissner. -Barry signature.asc Description: This is a digitally signed message part -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
Can this be applied to any 2.1 release? I am running 2.1 at the moment. Thanks. Until Mailman 2.1.6 is released, the longer term fix is to apply this patch: http://www.list.org/CAN-2005-0202.txt -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
* AJ [EMAIL PROTECTED]: Can this be applied to any 2.1 release? I am running 2.1 at the moment. The patch is very small, so I'd think yes. -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
OK, thanks. With no modifications it did not apply, but I can probably get it to work. It shouldn't cause any issues w/ 2.1 should it? Thanks. Quoting Ralf Hildebrandt [EMAIL PROTECTED]: * AJ [EMAIL PROTECTED]: Can this be applied to any 2.1 release? I am running 2.1 at the moment. The patch is very small, so I'd think yes. -- -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
To answer a few recent questions. To the best of my knowledge the patch is safe for any version of mailman that contains the function true_path in private.py. You will not see a new .pyc or .pyo file generated until the script is executed for the first time after the change. In other words until someone logs into a private archive for the first time. If you're really concerned about the old .pyc or .pyo files you can manually remove them. -- John Dennis [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org